Back to skill

Security audit

Agent Hotel Booking

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Brek hotel-booking API integration that discloses its network calls, API key use, booking/payment authority, and storage needs.

Install only if you trust the Brek partner integration and intend to let an agent assist with real booking workflows. Store BREK_PARTNER_API_KEY in a secret manager, restrict BREK_BASE_URL to the official Brek endpoint, require human confirmation for bookings, cancellations, price changes, and payment confirmation, and define retention/access controls for usage logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
77% confidence
Finding
This markdown file includes code that performs a network request and injects a partner API key into the `x-partner-api-key` header. The surrounding documentation presents the call mechanics but does not warn readers that the example sends credentials over the network or advise safe handling of the key.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.